diff --git a/lib/core/services/auth-guard-sso-role.service.spec.ts b/lib/core/services/auth-guard-sso-role.service.spec.ts index 24dfbabebb..9b80836547 100644 --- a/lib/core/services/auth-guard-sso-role.service.spec.ts +++ b/lib/core/services/auth-guard-sso-role.service.spec.ts @@ -115,8 +115,8 @@ describe('Auth Guard SSO role service', () => { it('Should canActivate be false hasRealm is true and hasClientRole is false', () => { const route: ActivatedRouteSnapshot = new ActivatedRouteSnapshot(); - spyOn(authGuard, 'hasRealmRoles').and.returnValue(true); - spyOn(authGuard, 'hasRealmRolesForClientRole').and.returnValue(false); + spyOn(jwtHelperService, 'hasRealmRoles').and.returnValue(true); + spyOn(jwtHelperService, 'hasRealmRolesForClientRole').and.returnValue(false); route.params = { appName: 'fakeapp' }; route.data = { 'clientRoles': ['appName'], 'roles': ['role1', 'role2'] }; @@ -126,8 +126,8 @@ describe('Auth Guard SSO role service', () => { it('Should canActivate be false if hasRealm is false and hasClientRole is true', () => { const route: ActivatedRouteSnapshot = new ActivatedRouteSnapshot(); - spyOn(authGuard, 'hasRealmRoles').and.returnValue(false); - spyOn(authGuard, 'hasRealmRolesForClientRole').and.returnValue(true); + spyOn(jwtHelperService, 'hasRealmRoles').and.returnValue(false); + spyOn(jwtHelperService, 'hasRealmRolesForClientRole').and.returnValue(true); route.params = { appName: 'fakeapp' }; route.data = { 'clientRoles': ['fakeapp'], 'roles': ['role1', 'role2'] }; @@ -164,53 +164,4 @@ describe('Auth Guard SSO role service', () => { expect(authGuard.canActivate(route)).toBeFalsy(); }); - - describe('ClientRole ', () => { - - it('Should be true if the resource_access contains the single role', () => { - spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); - - spyOn(jwtHelperService, 'decodeToken').and.returnValue( - { - 'resource_access': { fakeapp: { roles: ['role1'] } } - }); - - const result = authGuard.hasRealmRolesForClientRole('fakeapp', ['role1']); - expect(result).toBeTruthy(); - }); - - it('Should be true if the resource_access contains at least one of the roles', () => { - spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); - - spyOn(jwtHelperService, 'decodeToken').and.returnValue( - { - 'resource_access': { fakeapp: { roles: ['role1'] } } - }); - - const result = authGuard.hasRealmRolesForClientRole('fakeapp', ['role1', 'role2']); - expect(result).toBeTruthy(); - }); - - it('Should be false if the resource_access does not contain the role', () => { - spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); - spyOn(jwtHelperService, 'decodeToken').and.returnValue( - { - 'resource_access': { fakeapp: { roles: ['role3'] } } - }); - const result = authGuard.hasRealmRolesForClientRole('fakeapp', ['role1', 'role2']); - expect(result).toBeFalsy(); - }); - - it('Should be false if the resource_access does not contain the client role related to the app', () => { - spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); - spyOn(jwtHelperService, 'decodeToken').and.returnValue( - { - 'resource_access': { anotherfakeapp: { roles: ['role1'] } } - }); - const result = authGuard.hasRealmRolesForClientRole('fakeapp', ['role1', 'role2']); - expect(result).toBeFalsy(); - }); - - }); - }); diff --git a/lib/core/services/auth-guard-sso-role.service.ts b/lib/core/services/auth-guard-sso-role.service.ts index d3e321e2e6..b82b426cee 100644 --- a/lib/core/services/auth-guard-sso-role.service.ts +++ b/lib/core/services/auth-guard-sso-role.service.ts @@ -32,13 +32,13 @@ export class AuthGuardSsoRoleService implements CanActivate { if (route.data) { if (route.data['roles']) { const rolesToCheck = route.data['roles']; - hasRealmRole = this.hasRealmRoles(rolesToCheck); + hasRealmRole = this.jwtHelperService.hasRealmRoles(rolesToCheck); } if (route.data['clientRoles']) { const clientRoleName = route.params[route.data['clientRoles']]; const rolesToCheck = route.data['roles']; - hasClientRole = this.hasRealmRolesForClientRole(clientRoleName, rolesToCheck); + hasClientRole = this.jwtHelperService.hasRealmRolesForClientRole(clientRoleName, rolesToCheck); } } @@ -53,48 +53,4 @@ export class AuthGuardSsoRoleService implements CanActivate { constructor(private jwtHelperService: JwtHelperService, private router: Router) { } - - getRealmRoles(): string[] { - const access = this.jwtHelperService.getValueFromLocalAccessToken('realm_access'); - return access ? access['roles'] : []; - } - - getClientRoles(client: string): string[] { - const clientRole = this.jwtHelperService.getValueFromLocalAccessToken('resource_access')[client]; - return clientRole ? clientRole['roles'] : []; - } - - hasRealmRole(role: string): boolean { - let hasRole = false; - if (this.jwtHelperService.getAccessToken()) { - const realmRoles = this.getRealmRoles(); - hasRole = realmRoles.some((currentRole) => { - return currentRole === role; - }); - } - return hasRole; - } - - hasRealmRoles(rolesToCheck: string []): boolean { - return rolesToCheck.some((currentRole) => { - return this.hasRealmRole(currentRole); - }); - } - - hasRealmRolesForClientRole(clientRole: string, rolesToCheck: string []): boolean { - return rolesToCheck.some((currentRole) => { - return this.hasClientRole(clientRole, currentRole); - }); - } - - hasClientRole(clientRole, role: string): boolean { - let hasRole = false; - if (this.jwtHelperService.getAccessToken()) { - const clientRoles = this.getClientRoles(clientRole); - hasRole = clientRoles.some((currentRole) => { - return currentRole === role; - }); - } - return hasRole; - } } diff --git a/lib/core/services/jwt-helper.service.spec.ts b/lib/core/services/jwt-helper.service.spec.ts index f5b0d57d71..75778fba6b 100644 --- a/lib/core/services/jwt-helper.service.spec.ts +++ b/lib/core/services/jwt-helper.service.spec.ts @@ -44,4 +44,101 @@ describe('JwtHelperService', () => { expect(result['name']).toBe('John Doe'); expect(result['email']).toBe('johnDoe@gmail.com'); }); + + describe('RealmRole ', () => { + + it('Should be true if the realm_access contains the single role', () => { + spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); + + spyOn(jwtHelperService, 'decodeToken').and.returnValue( + { + 'realm_access': { roles: ['role1'] } + }); + + const result = jwtHelperService.hasRealmRole('role1'); + expect(result).toBeTruthy(); + }); + + it('Should be true if the realm_access contains at least one of the roles', () => { + spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); + + spyOn(jwtHelperService, 'decodeToken').and.returnValue( + { + 'realm_access': { roles: ['role1'] } + }); + + const result = jwtHelperService.hasRealmRoles(['role1', 'role2']); + expect(result).toBeTruthy(); + }); + + it('Should be false if the realm_access does not contain the role', () => { + spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); + spyOn(jwtHelperService, 'decodeToken').and.returnValue( + { + 'realm_access': { roles: ['role3'] } + }); + const result = jwtHelperService.hasRealmRole('role1'); + expect(result).toBeFalsy(); + }); + + it('Should be false if the realm_access does not contain at least one of the roles', () => { + spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); + spyOn(jwtHelperService, 'decodeToken').and.returnValue( + { + 'realm_access': { roles: ['role1'] } + }); + const result = jwtHelperService.hasRealmRoles(['role3', 'role2']); + expect(result).toBeFalsy(); + }); + + }); + + describe('ClientRole ', () => { + + it('Should be true if the resource_access contains the single role', () => { + spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); + + spyOn(jwtHelperService, 'decodeToken').and.returnValue( + { + 'resource_access': { fakeapp: { roles: ['role1'] } } + }); + + const result = jwtHelperService.hasRealmRolesForClientRole('fakeapp', ['role1']); + expect(result).toBeTruthy(); + }); + + it('Should be true if the resource_access contains at least one of the roles', () => { + spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); + + spyOn(jwtHelperService, 'decodeToken').and.returnValue( + { + 'resource_access': { fakeapp: { roles: ['role1'] } } + }); + + const result = jwtHelperService.hasRealmRolesForClientRole('fakeapp', ['role1', 'role2']); + expect(result).toBeTruthy(); + }); + + it('Should be false if the resource_access does not contain the role', () => { + spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); + spyOn(jwtHelperService, 'decodeToken').and.returnValue( + { + 'resource_access': { fakeapp: { roles: ['role3'] } } + }); + const result = jwtHelperService.hasRealmRolesForClientRole('fakeapp', ['role1', 'role2']); + expect(result).toBeFalsy(); + }); + + it('Should be false if the resource_access does not contain the client role related to the app', () => { + spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token'); + spyOn(jwtHelperService, 'decodeToken').and.returnValue( + { + 'resource_access': { anotherfakeapp: { roles: ['role1'] } } + }); + const result = jwtHelperService.hasRealmRolesForClientRole('fakeapp', ['role1', 'role2']); + expect(result).toBeFalsy(); + }); + + }); + }); diff --git a/lib/core/services/jwt-helper.service.ts b/lib/core/services/jwt-helper.service.ts index c920afd57a..667780323d 100644 --- a/lib/core/services/jwt-helper.service.ts +++ b/lib/core/services/jwt-helper.service.ts @@ -27,6 +27,8 @@ export class JwtHelperService { static GIVEN_NAME = 'given_name'; static USER_EMAIL = 'email'; static USER_ACCESS_TOKEN = 'access_token'; + static REALM_ACCESS = 'realm_access'; + static RESOURCE_ACCESS = 'resource_access'; static USER_PREFERRED_USERNAME = 'preferred_username'; constructor() { @@ -104,4 +106,78 @@ export class JwtHelperService { } return value; } + + /** + * Gets realm roles. + * @returns Array of realm roles + */ + getRealmRoles(): string[] { + const access = this.getValueFromLocalAccessToken(JwtHelperService.REALM_ACCESS); + return access ? access['roles'] : []; + } + + /** + * Gets Client roles. + * @returns Array of client roles + */ + getClientRoles(clientName: string): string[] { + const clientRole = this.getValueFromLocalAccessToken(JwtHelperService.RESOURCE_ACCESS)[clientName]; + return clientRole ? clientRole['roles'] : []; + } + + /** + * Checks for single realm role. + * @param role Role name to check + * @returns True if it contains given role, false otherwise + */ + hasRealmRole(role: string): boolean { + let hasRole = false; + if (this.getAccessToken()) { + const realmRoles = this.getRealmRoles(); + hasRole = realmRoles.some((currentRole) => { + return currentRole === role; + }); + } + return hasRole; + } + + /** + * Checks for realm roles. + * @param rolesToCheck List of role names to check + * @returns True if it contains at least one of the given roles, false otherwise + */ + hasRealmRoles(rolesToCheck: string []): boolean { + return rolesToCheck.some((currentRole) => { + return this.hasRealmRole(currentRole); + }); + } + + /** + * Checks for client roles. + * @param clientName Targeted client name + * @param rolesToCheck List of role names to check + * @returns True if it contains at least one of the given roles, false otherwise + */ + hasRealmRolesForClientRole(clientName: string, rolesToCheck: string []): boolean { + return rolesToCheck.some((currentRole) => { + return this.hasClientRole(clientName, currentRole); + }); + } + + /** + * Checks for client role. + * @param clientName Targeted client name + * @param role Role name to check + * @returns True if it contains given role, false otherwise + */ + hasClientRole(clientName: string, role: string): boolean { + let hasRole = false; + if (this.getAccessToken()) { + const clientRoles = this.getClientRoles(clientName); + hasRole = clientRoles.some((currentRole) => { + return currentRole === role; + }); + } + return hasRole; + } }